himari-aws 0.1.0 → 0.3.0

data/lambda/entrypoint.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+# BUNDLE_GEMFILE is defined at Dockerfile
+require 'bundler/setup'
+require 'himari/aws/lambda_handler'

data/lambda/terraform/README.md

@@ -0,0 +1,92 @@
+# Himari Terraform modules for AWS Lambda
+
+himari-aws/lambda/terraform provides the following modules:
+
+- **iam:** to establish IAM role
+- **image:** to copy prebuilt container image for Lambda from ECR Public
+- **functions:** to deploy Lambda function
+- **signing_key:** to create a secret with auto rotation enabled on Secrets Manager
+
+## iam
+
+Provisions IAM role for Lambda functions.
+
+```terraform
+module "himari_iam" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/iam"
+
+  role_name = "HimariRole"
+
+  # for policy hardening
+  secrets_rotation_function_arn = module.himari_functions.secrets_rotation_function_arn
+
+  # Add grants
+  dynamodb_table_arn  = module.himari_functions.dynamodb_table_arn
+  secret_arns         = toset([module.himari_signing_key.secret_arn])
+}
+```
+
+## image
+
+Create ECR private repository then mirror specified image tag from https://gallery.ecr.aws/sorah/himari-lambda
+
+```terraform
+module "himari_image" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/image"
+
+  repository_name  = "himari-lambda"
+  source_image_tag = "" # Replace with image tag
+  architecture     = "x86_64" # or arm64; must match the Lambda architecture
+}
+```
+
+- Uses null_resource with `skopeo` command to copy the image to ECR private locally (requires `skopeo` on the machine running Terraform)
+- `architecture` selects which platform to copy out of the multi-arch source image (defaults to `x86_64`); set it to match the `architecture` you pass to the functions module
+- Requires Terraform >= 1.10 and AWS provider >= 5.83 (ephemeral resource for ECR credentials)
+- Prebuilt image tag is based on git commit SHA: https://github.com/sorah/himari/commits/main
+
+## functions
+
+Deploy lambda functions and DynamoDB table
+
+```terraform
+module "himari_functions" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/functions"
+
+  iam_role_arn = module.himari_iam.role_arn
+  image_url    = module.himari_image.image.url
+
+  dynamodb_table_name  = "himari"
+  function_name_prefix = "himari"
+
+  config_ru = file("${path.module}/config.ru")
+
+  environment = {
+    HIMARI_SIGNING_KEY_ARN   = module.himari_signing_key.secret_arn
+    HIMARI_SECRET_PARAMS_ARN = aws_secretsmanager_secret.params.arn
+  }
+}
+```
+
+## signing_key
+
+```terraform
+module "himari_signing_key" {
+  source = "github.com/sorah/himari//himari-aws/lambda/terraform/signing_key"
+
+  secret_name = "himari-prd-signing-key"
+
+  rotation_function_arn           = module.himari_functions.secrets_rotation_function_arn
+  rotate_automatically_after_days = 20
+}
+```
+
+## misc (not modules)
+
+Use secrets manager to store additional secrets like upstream client secrets and SECRET_KEY_BASE...
+
+```terraform
+resource "aws_secretsmanager_secret" "params" {
+  name = "himari-secret-params"
+}
+```

data/lambda/terraform/functions/aws.tf

@@ -0,0 +1,2 @@
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}

data/lambda/terraform/functions/dynamodb.tf

@@ -0,0 +1,18 @@
+resource "aws_dynamodb_table" "table" {
+  count = var.create_dynamodb_table ? 1 : 0
+
+  name         = var.dynamodb_table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "pk"
+  range_key    = "sk"
+
+  attribute {
+    name = "pk"
+    type = "S"
+  }
+
+  attribute {
+    name = "sk"
+    type = "S"
+  }
+}

data/lambda/terraform/functions/lambda_rack.tf

@@ -0,0 +1,66 @@
+resource "aws_lambda_function" "rack" {
+  count = var.deploy_rack ? 1 : 0
+
+  function_name = "${var.function_name_prefix}-rack"
+
+  package_type  = "Image"
+  image_uri     = var.image_url
+  architectures = var.architectures
+
+  image_config {
+    command = ["himari_lambda_entrypoint.Himari::Aws::LambdaHandler.rack_handler"]
+  }
+
+  role = var.iam_role_arn
+
+  memory_size = var.rack_memory_size
+  timeout     = 20
+
+  environment {
+    variables = merge({
+      HIMARI_RACK_DYNAMODB_TABLE = var.dynamodb_table_name
+      HIMARI_DYNAMODB_TABLE      = var.dynamodb_table_name
+
+      # dependency trick. see below
+      HIMARI_RACK_DIGEST = nonsensitive(jsondecode(aws_dynamodb_table_item.config_ru[local.config_ru_dgst].item)["dgst"]["S"])
+
+      RACK_ENV = "production"
+    }, var.environment)
+  }
+
+  depends_on = [aws_dynamodb_table_item.config_ru]
+}
+
+resource "aws_lambda_function_url" "rack" {
+  count              = (var.deploy_rack && var.enable_function_url) ? 1 : 0
+  function_name      = aws_lambda_function.rack[0].function_name
+  authorization_type = "NONE"
+}
+
+resource "aws_dynamodb_table_item" "config_ru" {
+  # Employing dependency trick to make sure a previous config_ru item removed after the function environment value update.
+  # By using for_each every updates will be a new resource and is referred by aws_lambda_function as a dependency, old item will be removed after updating the function completes.
+  for_each = { "${local.config_ru_dgst}" = var.config_ru }
+
+  table_name = var.dynamodb_table_name
+  hash_key   = "pk"
+  range_key  = "sk"
+
+  # using sensitive to supress unwanted diff, and diff is useful as we use for_each here
+  item = sensitive(jsonencode({
+    "pk"   = { "S" = "rack" },
+    "sk"   = { "S" = "rack:${each.key}" },
+    "dgst" = { "S" = each.key },
+    "file" = { "S" = each.value },
+  }))
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [aws_dynamodb_table.table]
+}
+
+locals {
+  config_ru_dgst = base64sha256(var.config_ru)
+}

data/lambda/terraform/functions/lambda_secrets_rotation.tf

@@ -0,0 +1,33 @@
+resource "aws_lambda_function" "secrets_rotation" {
+  count = var.deploy_secrets_rotation ? 1 : 0
+
+  function_name = "${var.function_name_prefix}-secrets-rotation"
+
+  package_type  = "Image"
+  image_uri     = var.image_url
+  architectures = var.architectures
+
+  image_config {
+    command = ["himari_lambda_entrypoint.Himari::Aws::LambdaHandler.secrets_rotation_handler"]
+  }
+
+  role = var.iam_role_arn
+
+  memory_size = 128
+  timeout     = 20
+
+  environment {
+    variables = merge({
+    }, var.environment)
+  }
+}
+
+resource "aws_lambda_permission" "secrets_rotation_secretsmanager" {
+  count = var.deploy_secrets_rotation ? 1 : 0
+
+  statement_id   = "secretsmanager"
+  action         = "lambda:InvokeFunction"
+  function_name  = aws_lambda_function.secrets_rotation[0].function_name
+  principal      = "secretsmanager.amazonaws.com"
+  source_account = data.aws_caller_identity.current.account_id
+}

data/lambda/terraform/functions/outputs.tf

@@ -0,0 +1,19 @@
+output "dynamodb_table_name" {
+  value = var.dynamodb_table_name
+}
+
+output "dynamodb_table_arn" {
+  value = var.create_dynamodb_table ? aws_dynamodb_table.table[0].arn : null
+}
+
+output "function_url" {
+  value = (var.deploy_rack && var.enable_function_url) ? aws_lambda_function_url.rack[0].function_url : null
+}
+
+output "rack_function_arn" {
+  value = var.deploy_rack ? aws_lambda_function.rack[0].arn : null
+}
+
+output "secrets_rotation_function_arn" {
+  value = var.deploy_secrets_rotation ? aws_lambda_function.secrets_rotation[0].arn : null
+}

data/lambda/terraform/functions/variables.tf

@@ -0,0 +1,65 @@
+variable "iam_role_arn" {
+  type        = string
+  description = "IAM role arn for functions"
+}
+
+variable "image_url" {
+  type        = string
+  description = "Image url for deploy"
+}
+
+variable "dynamodb_table_name" {
+  type        = string
+  description = "dynamodb table name to use"
+}
+
+variable "create_dynamodb_table" {
+  type        = bool
+  description = "Create dynamodb table"
+  default     = true
+}
+
+variable "function_name_prefix" {
+  type        = string
+  description = "function name prefix"
+}
+
+variable "deploy_rack" {
+  type        = bool
+  description = "Deploy rack function"
+  default     = true
+}
+
+variable "rack_memory_size" {
+  type    = number
+  default = 256
+}
+
+variable "deploy_secrets_rotation" {
+  type        = bool
+  description = "Deploy secrets rotation function"
+  default     = true
+}
+
+variable "enable_function_url" {
+  type        = bool
+  description = "Enable function URL"
+  default     = true
+}
+
+variable "config_ru" {
+  type        = string
+  description = "File content of config.ru"
+  default     = "raise 'empty config_ru'\n"
+}
+
+variable "environment" {
+  type        = map(any)
+  description = "Additional environment variables"
+  default     = {}
+}
+
+variable "architectures" {
+  type    = list(string)
+  default = ["x86_64"]
+}

data/lambda/terraform/functions/versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

data/lambda/terraform/iam/aws.tf

@@ -0,0 +1,2 @@
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}

data/lambda/terraform/iam/outputs.tf

@@ -0,0 +1,7 @@
+output "role_arn" {
+  value = aws_iam_role.role.arn
+}
+
+output "role_name" {
+  value = aws_iam_role.role.name
+}

data/lambda/terraform/iam/role.tf

@@ -0,0 +1,77 @@
+resource "aws_iam_role" "role" {
+  name                 = var.role_name
+  description          = var.role_description
+  assume_role_policy   = data.aws_iam_policy_document.role-trust.json
+  permissions_boundary = var.role_permissions_boundary
+}
+
+data "aws_iam_policy_document" "role-trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = "Service"
+      identifiers = [
+        "lambda.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "role-AWSLambdaBasicExecutionRole" {
+  role       = aws_iam_role.role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy" "role-dynamodb" {
+  count  = local.dynamodb_table_arn != null ? 1 : 0
+  role   = aws_iam_role.role.name
+  policy = data.aws_iam_policy_document.role-dynamodb.json
+}
+
+data "aws_iam_policy_document" "role-dynamodb" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:DeleteItem",
+      "dynamodb:Query",
+      "dynamodb:UpdateItem",
+    ]
+    resources = [local.dynamodb_table_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "role-secretsmanager" {
+  count  = length(var.secret_arns) > 0 ? 1 : 0
+  role   = aws_iam_role.role.name
+  policy = data.aws_iam_policy_document.role-secretsmanager.json
+}
+
+data "aws_iam_policy_document" "role-secretsmanager" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetSecretValue",
+
+    ]
+    resources = toset(var.secret_arns)
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:PutSecretValue",
+      "secretsmanager:UpdateSecretVersionStage",
+    ]
+    dynamic "condition" {
+      for_each = var.secrets_rotation_function_arn != null ? { hardening = true } : {}
+      content {
+        test     = "StringEquals"
+        variable = "lambda:SourceFunctionArn"
+        values   = [var.secrets_rotation_function_arn]
+      }
+    }
+    resources = toset(var.secret_arns)
+  }
+
+}

data/lambda/terraform/iam/variables.tf

@@ -0,0 +1,44 @@
+variable "role_name" {
+  type        = string
+  description = "IAM Role name to create"
+}
+
+variable "role_description" {
+  type        = string
+  description = "IAM Role description to specify"
+  default     = "sorah/himari lambda function role"
+}
+
+variable "role_permissions_boundary" {
+  type        = string
+  description = "IAM Role permissions boundary to specify"
+  default     = null
+}
+
+variable "dynamodb_table_arn" {
+  type        = string
+  description = "DynamoDB Table ARN"
+  default     = null
+}
+
+variable "dynamodb_table_name" {
+  type        = string
+  description = "DynamoDB Table name"
+  default     = null
+}
+
+variable "secret_arns" {
+  type        = set(string)
+  description = "Secrets Manager secret ARNs"
+  default     = null
+}
+
+variable "secrets_rotation_function_arn" {
+  type        = string
+  description = "ARN of rotation function. If set, it will be used to harden the write action policy"
+  default     = null
+}
+
+locals {
+  dynamodb_table_arn = coalesce(var.dynamodb_table_arn, var.dynamodb_table_name != null ? "arn:aws:dynamodb:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:table/${var.dynamodb_table_name}" : null)
+}

data/lambda/terraform/iam/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+  }
+}

data/lambda/terraform/image/aws.tf

@@ -0,0 +1 @@
+data "aws_region" "current" {}

data/lambda/terraform/image/copy.tf

@@ -0,0 +1,45 @@
+ephemeral "aws_ecr_authorization_token" "repo" {}
+
+locals {
+  # Map Lambda's architecture notation to the source image's OS/arch so skopeo
+  # picks the matching image out of the multi-arch index deterministically,
+  # regardless of the host running Terraform.
+  skopeo_platform = {
+    x86_64 = { os = "linux", arch = "amd64" }
+    arm64  = { os = "linux", arch = "arm64" }
+  }[var.architecture]
+}
+
+resource "null_resource" "copy-image" {
+  triggers = {
+    region           = data.aws_region.current.region
+    repository_url   = aws_ecr_repository.repo.repository_url
+    source_image_tag = var.source_image_tag
+    architecture     = var.architecture
+  }
+
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    # public.ecr.aws is pulled anonymously; only the destination ECR needs credentials.
+    # The password is fed over stdin into a temporary authfile rather than passed as a
+    # command-line argument, so it never appears in the process argument list.
+    command = <<-EOT
+      set -euo pipefail
+      authfile="$(mktemp)"
+      trap 'rm -f "$authfile"' EXIT
+      # skopeo login reads the authfile before merging the new credential into it,
+      # so seed it with an empty JSON object; mktemp's 0-byte file is invalid JSON.
+      printf '{}' > "$authfile"
+      printf '%s' "$DEST_PASSWORD" | skopeo login --username AWS --password-stdin --authfile "$authfile" "$${REPOSITORY_URL%%/*}"
+      skopeo copy --authfile "$authfile" --override-os "$OVERRIDE_OS" --override-arch "$OVERRIDE_ARCH" "docker://public.ecr.aws/sorah/himari-lambda:$SOURCE_IMAGE_TAG" "docker://$REPOSITORY_URL:$SOURCE_IMAGE_TAG"
+    EOT
+
+    environment = {
+      DEST_PASSWORD    = ephemeral.aws_ecr_authorization_token.repo.password
+      REPOSITORY_URL   = aws_ecr_repository.repo.repository_url
+      SOURCE_IMAGE_TAG = var.source_image_tag
+      OVERRIDE_OS      = local.skopeo_platform.os
+      OVERRIDE_ARCH    = local.skopeo_platform.arch
+    }
+  }
+}

data/lambda/terraform/image/ecr.tf

@@ -0,0 +1,42 @@
+resource "aws_ecr_repository" "repo" {
+  name = var.repository_name
+}
+
+resource "aws_ecr_repository_policy" "repo-lambda" {
+  repository = aws_ecr_repository.repo.name
+  policy     = data.aws_iam_policy_document.repo-lambda.json
+}
+
+data "aws_iam_policy_document" "repo-lambda" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+    actions = [
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "repo" {
+  repository = aws_ecr_repository.repo.name
+  policy = jsonencode({
+    rules = [
+      {
+        rulePriority = 10
+        description  = "expire old images"
+        selection = {
+          tagStatus   = "any"
+          countType   = "imageCountMoreThan"
+          countNumber = 10
+        }
+        action = {
+          type = "expire"
+        }
+      }
+    ]
+  })
+}

data/lambda/terraform/image/outputs.tf

@@ -0,0 +1,9 @@
+output "image" {
+  value = {
+    url = "${aws_ecr_repository.repo.repository_url}:${var.source_image_tag}"
+
+    repository_url = aws_ecr_repository.repo.repository_url
+    repository_arn = aws_ecr_repository.repo.arn
+  }
+  depends_on = [null_resource.copy-image]
+}

data/lambda/terraform/image/variables.tf

@@ -0,0 +1,20 @@
+variable "repository_name" {
+  type        = string
+  description = "Repository name to create on your AWS account"
+}
+
+variable "source_image_tag" {
+  type        = string
+  description = "Image tag for public.ecr.aws/sorah/himari-lambda. You can use Git commit hash on https://github.com/sorah/himari"
+}
+
+variable "architecture" {
+  type        = string
+  default     = "x86_64"
+  description = "Lambda CPU architecture to copy from the multi-arch source image (x86_64 or arm64)"
+
+  validation {
+    condition     = contains(["x86_64", "arm64"], var.architecture)
+    error_message = "architecture must be one of: x86_64, arm64."
+  }
+}

data/lambda/terraform/image/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.10"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+  }
+}

data/lambda/terraform/signing_key/aws.tf

@@ -0,0 +1 @@
+data "aws_region" "current" {}

data/lambda/terraform/signing_key/outputs.tf

@@ -0,0 +1,3 @@
+output "secret_arn" {
+  value = aws_secretsmanager_secret.signing_key.arn
+}

data/lambda/terraform/signing_key/secret.tf

@@ -0,0 +1,18 @@
+resource "aws_secretsmanager_secret" "signing_key" {
+  name = var.secret_name
+
+  tags = {
+    HimariKey = base64encode(jsonencode(var.keygen_params))
+  }
+}
+
+resource "aws_secretsmanager_secret_rotation" "signing_key" {
+  secret_id           = aws_secretsmanager_secret.signing_key.id
+  rotation_lambda_arn = var.rotation_function_arn
+
+  # XXX: https://github.com/hashicorp/terraform-provider-aws/issues/22969
+  rotation_rules {
+    automatically_after_days = 16
+  }
+
+}

data/lambda/terraform/signing_key/variables.tf

@@ -0,0 +1,24 @@
+variable "secret_name" {
+  type        = string
+  description = "Secret name to create"
+}
+
+variable "rotation_function_arn" {
+  type        = string
+  description = "Lambda function ARN to handle secret rotation"
+}
+
+variable "rotate_automatically_after_days" {
+  type        = number
+  description = "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation#automatically_after_days"
+  default     = 16
+}
+
+variable "keygen_params" {
+  type        = object({ kty = string, len = string })
+  description = "keygen params"
+  default = {
+    "kty" = "rsa"
+    "len" = 2048
+  }
+}

data/lambda/terraform/signing_key/versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}